I recently finished reading The Art of Computer Virus Research and Defense and believe me that was no small task. Its easily one of the more technical books you will read. Thats a tribute to the author, Peter Szor, who in my opinion is one of the founding fathers of malware analysis. His knowledge on this subject is immense. To get the most out of the book though, you would be advised to have at least a basic understanding of C++ code, IA32 Assembly, and Windows API's. It would be even better if you had some debugging and malware profiling experience. The books aim is to provide a thorough understanding of viruses by type, infection strategy and payload strategy, while explaining antivirus techniques and mitigation options.

Before I delve into the content too much, I would like to touch on some of the shortfalls of the book. First off, its not written in a traditional manner that could be easily used as a reference. It very much reads like a wiki or personal notes, which it is in effect, however that doesn't make for easy reading. I also felt the first 3 chapters took up way too much space, which could have been used for more productive topics. I particularly hated Chapter 3, where every virus type and dependecy is simply listed out in no cohesive manner. My only other complaint would have to have been to limit the discussion of older, non-relevant viruses to a concept only and focus more on a deeper undertanding of more current threats. I would like to have seen several in depth case studies in the appendix(CodeRed, Sasser, Blaster, Bagel, Slammer, etc). I also wish it came in hard cover, because my paperback binding is already in shambles from frequent page turning and rereading Smile

On to the good stuff. Chapter 4's discussion of Win32 viruses and coverage of the PE format was great. It helped me understand things quite a bit better, and had lots of code and memory visuals to look at. Its probaby the best section in the first half of the book. His coverage of in-memory strategies was also excellent and shows how malware can be read from memory after being injected in a process thread. I always wondered how heavily encrypted viruses were broken and now I know. They simply step through the code with a debugger until its decrypted in memory and then they dump it. That lead to another great section on malware defense techniques. Sophisticated malware will actually put in timers into the code so that it will know if someone is running it through a debugger line by line. The book also touches on poly and metamorphic shellcode and the type of heuristics that can be used to detect them. There is also a dedicated chapter to worms that is okay, and a really great chapter on exploits, vulnerabilities, and buffer overflows that is filled with all kinds of knowledge. The book also made me aware of a type of buffer overflow I hadn't known before. The "return-to-LIBC attack", where an overflow of the stack is done, but merely to pass malicious option to legitimate API calls, which is really hard to detect because there is no stack or heap execution. The second half of the book, Chapters 11-15, were just awesome. There were many strategies listed for dealing with worms via network controls. I particularly enjoyed Chapter 15, where he covered malicous code analysis using a defined methodology and mostly freely available tools. I also liked his advice on creating a sandbox with a honeyd and dns server to virtualize network interaction. There is also much more coverage of heuristic functions, which can aid in profiling malware, as well as a great section on memory scanning and disinfection. It exposed to me alot of the built in API commands that you can used to identify and remove viruses from memory.

There are almost too many great things to mention in the second half of the book, as mine is heavily highlighted, so you will definitely need to read for yourself. I think this book, even being 3 years old now, still fills a niche in the market that no other book does. If you deal with malware on a weekly basis, I would recommend you adding it to your library.